- 14 10月, 2020 1 次提交
-
-
由 Nicola Tuveri 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13018)
-
- 28 9月, 2020 1 次提交
-
-
由 hklaas 提交于
Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers. CLA: trivial Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/13000)
-
- 13 9月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
-
由 Matt Caswell 提交于
We fix 3 problems with safestack: - Including an openssl header file without linking against libcrypto can cause compilation failures (even if the app does not otherwise need to link against libcrypto). See issue #8102 - Recent changes means that applications in no-deprecated builds will need to include additional macro calls in the source code for all stacks that they need to use - which is an API break. This changes avoids that necessity. - It is not possible to write code using stacks that works in both a no-deprecated and a normal build of OpenSSL. See issue #12707. Fixes #12707 Contains a partial fix for #8102. A similar PR will be needed for hash to fully fix. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
-
- 24 7月, 2020 1 次提交
-
-
由 Shane Lontis 提交于
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
-
- 19 6月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
A number of these functions returned a NID or an array of NIDs for the groups. Now that groups can come from the providers we do not necessarily know the NID. Therefore we need to handle this in a clean way. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
由 Matt Caswell 提交于
Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported group list based on the loaded providers. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
- 19 5月, 2020 1 次提交
-
-
由 Dmitry Belyavskiy 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442)
-
- 24 4月, 2020 1 次提交
-
-
由 Rich Salz 提交于
... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds and not non-deprecated builds. Deprecate stack-of-block Better documentation Move some ASN1 struct typedefs to types.h Update ParseC to handle this. Most of all, ParseC needed to be more consistent. The handlers are "recursive", in so far that they are called again and again until they terminate, which depends entirely on what the "massager" returns. There's a comment at the beginning of ParseC that explains how that works. {Richard Levtte} Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10669)
-
- 19 4月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
There were a few places where we were not passing through the libctx when constructing and EVP_PKEY_CTX. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
-
- 18 4月, 2020 1 次提交
-
-
由 Nikolay Morozov 提交于
For GOST2012-GOST8912-GOST8912 IANA introduce ClientCertificateType Identifiers https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11558)
-
- 02 4月, 2020 2 次提交
-
-
由 Nikolay Morozov 提交于
For GOST2012-GOST8912-GOST8912 was used 0xFF85 identifier, but new identifier 0xc102 was assigned. Because of old software we will support both numbers. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 https://datatracker.ietf.org/doc/draft-smyshlyaev-tls12-gost-suites/Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11403)
-
由 Matt Caswell 提交于
We should use EVP_PKEY_CTX_new_from_pkey() to ensure we use the correct libctx. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11401)
-
- 30 3月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
Caching the X509v3 extensions requires an explicit libctx. We do that where required in libssl. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11409)
-
- 14 3月, 2020 1 次提交
-
-
由 Benjamin Kaduk 提交于
Use a space after a comma. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943)
-
- 20 2月, 2020 1 次提交
-
-
由 Pauli 提交于
Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024)
-
- 06 2月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
When we use an EVP_PKEY_CTX in libssl we should be doing so with the OPENSSL_CTX and property query string that were specified when the SSL_CTX object was first created. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
-
由 Matt Caswell 提交于
We modify libssl to use explicitly fetched ciphers, digests and other algorithms as required based on the configured library context and property query string for the SSL_CTX that is being used. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
-
- 29 1月, 2020 1 次提交
-
-
由 Pauli 提交于
Backwards compatibility with the old ticket key call back is maintained. This will be removed when the low level HMAC APIs are finally removed. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10836)
-
- 24 1月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
Now that libssl knows about libctx we should use it wherever we generate a random number. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10927)
-
- 18 10月, 2019 1 次提交
-
-
由 Rich Salz 提交于
Deprecate the BUF_ string macros Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10207)
-
- 29 9月, 2019 1 次提交
-
-
由 Dr. Matthias St. Pierre 提交于
Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
-
- 06 8月, 2019 1 次提交
-
-
由 raja-ashok 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9323)
-
- 17 7月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
This function was always returning 0. It should return 1 on success. Fixes #9374 Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9395)
-
- 18 6月, 2019 2 次提交
-
-
由 Matt Caswell 提交于
The previous 2 commits moved supported groups and ciphers out of the session object to avoid race conditions. We now also move ecpointformats for consistency. There does not seem to be a race condition with access to this data since it is only ever set in a non-resumption handshake. However, there is no reason for it to be in the session. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9162)
-
由 Matt Caswell 提交于
In TLSv1.3 the supported groups can be negotiated each time a handshake occurs, regardless of whether we are resuming or not. We should not store the supported groups information in the session because session objects can be shared between multiple threads and we can end up with race conditions. For most users this won't be seen because, by default, we use stateless tickets in TLSv1.3 which don't get shared. However if you use SSL_OP_NO_TICKET (to get stateful tickets in TLSv1.3) then this can happen. The answer is to move the supported the supported group information into the SSL object instead. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9162)
-
- 17 6月, 2019 2 次提交
-
-
由 Matt Caswell 提交于
Make sure that the combination of no-ec with no-dh builds successfully. If neither ec or dh are available then TLSv1.3 is not possible. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9156)
-
由 Matt Caswell 提交于
Now that we have TLSv1.3 FFDHE support there is no reason why we should not allow TLSv1.3 to be used in a no-ec build. This commit enables that to happen. It also fixes no-ec which was previously broken. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9156)
-
- 13 6月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
The recent TLSv1.3 FFDHE support missed a few OPENSSL_NO_DH guards. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9153)
-
- 12 6月, 2019 1 次提交
-
-
由 raja-ashok 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8178)
-
- 01 5月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8850)
-
- 30 4月, 2019 1 次提交
-
-
由 Todd Short 提交于
With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the ssl3_state_st structure into ssl_st and fixup any references. This should be faster than going through an indirection and due to fewer allocations, but I'm not seeing any significant performance improvement; it seems to be within the margin of error in timing. Reviewed-by: NPaul Yang <yang.yang@baishancloud.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7888)
-
- 29 3月, 2019 1 次提交
-
-
由 Richard Levitte 提交于
Fixes #4856 Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1928)
-
- 06 3月, 2019 1 次提交
-
-
由 Richard Levitte 提交于
Co-authored-by: NDr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8198)
-
- 06 12月, 2018 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7768)
-
- 15 11月, 2018 1 次提交
-
-
由 Antoine Salon 提交于
Signed-off-by: NAntoine Salon <asalon@vmware.com> Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
-
- 13 11月, 2018 1 次提交
-
-
由 Viktor Dukhovni 提交于
SSL_get_signature_nid() -- local signature algorithm SSL_get_signature_type_nid() -- local signature algorithm key type SSL_get_peer_tmp_key() -- Peer key-exchange public key SSL_get_tmp_key -- local key exchange public key Aliased pre-existing SSL_get_server_tmp_key(), which was formerly just for clients, to SSL_get_peer_tmp_key(). Changed internal calls to use the new name. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 30 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Thanks to @fangang190 for reporting this issue. Fixes #7060 Reviewed-by: NPaul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/7065)
-
- 15 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
- 20 7月, 2018 1 次提交
-
-
由 Benjamin Kaduk 提交于
The API used to set what SNI value to send in the ClientHello can also be used on server SSL objects, with undocumented and un-useful behavior. Unfortunately, when generic SSL_METHODs are used, s->server is still set, prior to the start of the handshake, so we cannot prevent this nonsensical usage at the present time. Leave a note to revisit this when ABI-breaking changes are permitted. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6378)
-